www.seclore.com
Open in
urlscan Pro
192.124.249.53
Public Scan
URL:
https://www.seclore.com/blog/human-error-third-party-vendors-trouble/
Submission: On July 04 via manual from SG — Scanned from SG
Submission: On July 04 via manual from SG — Scanned from SG
Form analysis 1 forms found in the DOM
GET https://www.seclore.com/
<form class="jet-ajax-search__form" method="get" action="https://www.seclore.com/" role="search" target="">
<div class="jet-ajax-search__fields-holder">
<div class="jet-ajax-search__field-wrapper"> <label for="search-input-3a1f6fa" class="screen-reader-text">Search ...</label> <input id="search-input-3a1f6fa" class="jet-ajax-search__field" type="search" placeholder="Search ..." value="" name="s"
autocomplete="off"> <input type="hidden"
value="{"search_source":["post","page"],"exclude_posts_ids":["45401","47090","49225"],"custom_fields_source":"cta-link","results_order":"desc"}"
name="jet_ajax_search_settings"> </div>
</div> <button class="jet-ajax-search__submit" type="submit" aria-label="Search submit"><span class="jet-ajax-search__submit-icon jet-ajax-search-icon"><i aria-hidden="true" class="fas fa-search"></i></span></button>
</form>Text Content
Skip to content
* How to open a Seclore file
* Careers
* Customer Support
Site Search
* Platform Close Platform Open Platform
* Why Seclore Close Why Seclore Open Why Seclore
* Partners Close Partners Open Partners
* Learn Close Learn Open Learn
* Company Close Company Open Company
DATA SECURITY SOLUTIONS
* Risk Insights
* Data Classification
* Enterprise Digital Rights Management
* Secure Email Encryption
INTEGRATIONS
* Collaboration & Storage Systems
* Microsoft 365
* SharePoint
* File Servers
* Virtual Data Rooms or VDRs
* DLP & CASB
* Broadcom (Symantec)
* Forcepoint
* Skyhigh Security
* Discovery & Classification
* Spirion
* Microsoft Sensitivity Labels
* Identity SSO
* APIs & SDKs
* Professional Services
AVAILABLE FOR
* Desktop
* Mobile
* Email
* Cloud
PREVENT DATA THEFT
* Third-Party Collaboration
* Insider Threat Protection
* Application Data Security
* IP Protection
INDUSTRIES
* Financial Services
* Manufacturing
* Semiconductor
* Pharmaceuticals
ACHIEVE COMPLIANCE
* GDPR Compliance
* UAE Resolution
* SDAIA Regulations
* CCPA Compliance
* RBI Guidelines
* NYCRR Regulations
* IRDAI Compliance
* NIST Compliance
* NCA Regulations
* NIA Policy
* ITAR Compliance
* PCI-DSS Compliance
* DPDP Compliance
* GLBA Compliance
CUSTOMER STORIES
HOW SECLORE SECURELY MIGRATED MILLIONS OF DOCUMENTS
* All Customer Stories
CHANNEL PARTNERS
* Register a Deal
* Lead Referral
* Partner Portal Login
* Become a Partner
REGISTER A DEAL
* Resource Library
* Blog
READ OUR BLOG POSTS
* About
* Careers
* Leadership
* Press
* Contact Us
* Customer Support
JOIN US
Get a Demo
SECLORED: THE DATA SECURITY NEWS BLOG
PrevPrevious
NextNext
Home » Human Error + Third-Party Vendors = Trouble
HUMAN ERROR + THIRD-PARTY VENDORS = TROUBLE
Category: Data Security, Third Party Risk
* Jun 18, 2024
THIRD-PARTY VENDORS (LIKE SUPPLY CHAIN PARTNERS) SIGNIFICANTLY INCREASE YOUR
THREAT PROFILE.
When it comes to cybersecurity, business partners and third-party vendors
represent one of the MOST significant risks that organizations face, because
many entrust third parties with access to their most sensitive data and systems.
Companies and suppliers in industries like defense, financial services,
manufacturing, and healthcare also operate in highly regulated environments. For
those organizations, meeting stringent compliance requirements such as HIPAA,
SOX, GDPR, Personal Data Protection Bill, etc. are critical to business
operations. As a result, failure to implement the right compliance and
cybersecurity measures can put these companies at greater risk of serious harm.
HOW BIG IS THE PROBLEM?
According to IBM threat intelligence, the average cost of a data breach is $4.45
million, and “Manufacturing is the industry most commonly targeted by
cybercriminals.” Unfortunately, the true cost may be even greater because
breaches and leaks that result in sensitive data getting compromised can be
catastrophic, leading to lost credibility, disrupted supply chains, lost
revenue, and even impact national security.
Large companies rarely publish specifics about their supply chains, but a few
pioneering brands have outlined the scale of their supply chains. It’s also
apparent that in recent years, the number of supply chain partners for most
companies has exploded, mostly because of COVID-related supply chain issues:
* Proctor and Gamble has more than 60,000 external business partners (EBPs)
* Walmart over 100,000 suppliers
* TotalEnergies buys from 100,000+ suppliers
NOW LET’S PUT THAT IN CONTEXT FOR THE AVERAGE LARGE ENTERPRISE THAT WE (SECLORE)
SEE EVERY DAY:
* # of Employees: 10,000+
* # of Suppliers/Vendors/External Business Partners: 5,000+
* # of Sensitive emails/Documents shared: 1,200 daily (~300k/year)
* # of mishandled documents: ~25 or 2% daily
Each of these suppliers represent a potential threat vector, exponentially
increasing the attack surface of the companies they supply. Add to that the
increasing number and sophistication of AI-powered cyberattacks and now we’ve
got some idea just how big this problem is.
AND IT’S NOT JUST US TALKING ABOUT THIS PROBLEM:
Our internal findings also align with what’s being reported externally by
government agencies and non-governmental organization (NGOs). For example, in
2020, the Royal Canadian Mounted Police (RCMP) reported that 38 agencies’
mishandling of data resulted in more than 5,000 incidents between Jan. 1 and
Dec. 10 in which classified, or otherwise protected documents were stored in a
manner that did not meet security requirements (or ~20 incidents every day).
These numbers look conservative when compared to the numbers reported by the US
Federal government. It’s been reported that over the last decade, millions of
emails intended for .mil (US military email addresses) were accidentally sent to
.ml addresses, the top-level domain (TLD) for the African nation of Mali. As a
result of this one-character typo, and sheer volume of emails sent… including
medical data, identification documents, maps of military installations, travel
itineraries, bookings for high-ranking military leaders, and more reached .ml
addresses rather than their intended .mil ones. While shocking, this all
represents how hard it is for organizations to anticipate every eventuality when
it comes to protecting their most sensitive data.
Given all this, it’s easy to see how your organization can quickly get out of
compliance, or worse, discover an active breach because sensitive data was
mishandled. Layer hacking, social engineering, and malware into the equation,
and it’s obvious that this is a real “Houston we have a problem” moment. Even
supply chains for single product lines can be complex. Seclore regularly sees
manufacturers expose sensitive data (intellectual property, strategies, pricing,
release plans, etc.) to thousands of ‘potential’ vendors as part of their
request for proposal (RFP) process, relying solely on Non-Disclosure Agreements
(NDAs) to keep this data safe.
Sadly, this complexity often hides the scale of the problem, which only comes to
light in times of crisis (data breach, pandemic, etc). So it’s no wonder that we
regularly see organizations in the news for getting hacked — despite their 3rd
party suppliers being the source of the data breach.
“THEIR” WEAKEST LINK = “YOUR” WEAKEST LINK.
Most security researchers acknowledge that humans are the weakest and most
easily exploited link in an organization’s cybersecurity chain, and studies
confirm this, highlighting the fact that nine out of 10 (88%) of data breaches
are caused by employee mistakes. Worse, employees may be unwilling to admit
these mistakes if, for example, organizations penalize those mistakes too
severely.
But let’s put that aside for now, and assume that your internal cybersecurity
culture, training, and awareness is outstanding… how about your suppliers and
3rd party vendors? Now we’re getting to the heart of the problem. Even if you do
most (or all) the right things, your sensitive data is still at the mercy of
organizations that aren’t under your control, and whatever their cybersecurity
cultures are – unless you embrace a “data-centric” security approach.
BEST PRACTICES FOR PROTECTING SENSITIVE DATA SHARED WITH THIRD PARTIES:
I think we’ve clearly outlined the problem that organizations face to remain
competitive in the digital era. The question is, what can they do to improve
their security posture, particularly when data intentionally (or
unintentionally) leaves their controlled perimeter? The following principles
are all inherent to “data-centric” security, and all of them are prerequisites
for achieving zero trust.
* Assume that third-party networks are hostile: In the distant past, users
could be relatively certain that known networks were secure, whereas zero
trust assumes that any given network is insecure. Whether a network is secure
or insecure, Seclore dynamically protects sensitive data at all times – at
rest and in transit.
* Acknowledge that internal and external threats are endemic: Traditional
security methods assume networks are secure until a threat is detected.
Data-centric security turns this model on its head. The goal is to flip the
risk-reward ratio in favor of data owners. This means that control no longer
equals access, and data-centric security measures like file-level encryption
and access control place a tremendous burden on adversaries no matter how
they acquire protected digital assets.
* Authenticate and authorize every user and data flow: Data-centric security
dynamically authorizes and authenticates users on a per-session and per-user
basis, which makes it easier to enforce least-privileged access.
* Dynamic Watermarking: Unlike static watermarks, a dynamic watermark is
context-specific and can change after a publisher first applies it. Context
can include anything from changes to the document or a user viewing it, to
the date and time someone opens a file or email.
* Continuously Assess Risk: Seclore helps organizations continuously assess the
risks associated with business partners. While organizations should consider
factors such as security, compliance and data handling practices when
selecting partners, continuous monitoring means that organizations can
promptly detect suspicious or unusual activity and potential security
breaches.
* Dynamic Access Control: Seclore lets you control who has access to your data,
what they can do with it, and revoke that access at any time.
* * Dynamically adjust usage-controls like the ability to print, download, or
copy data
* Grant access to third parties for a limited period of time, and revoke
access when a project is finished, an employee is off-boarded, or
sensitive data is accidentally shared with an unintended recipient.
* As a last resort, revoke access to all emails/documents if a breach
includes compromised identities, to limit the harm of that breach.
* Dynamic Policy Adoption: Extend the value of your DLP/CASB solutions by
leveraging existing classification policies to apply protection, rights
management, and information/insights from Seclore. This full circle approach
brings continuous improvement (CI) to your security posture so you can answer
questions like:
* * How long should saving data/files be available?
* Should documents be editable or forwardable to additional recipients?
* Should classified documents and emails be printable?
* Should my company allow documents to be opened in any country?
Remember, while business partners can enhance your capabilities, they also
introduce risk. By following these best practices, you can minimize
vulnerabilities and build a more secure network of trust with your partners.
With an advanced solution like Seclore, your organization can reap the benefits
of data-centric security & compliance. By putting data first in your security
architecture, you can clearly understand what digital assets need to be
protected, where they reside, how sensitive they are, and effectively control
access to them.
Many organizations assume that ‘trusting’ their partners/suppliers is the only
path forward; however, this is a false choice. Seclore’s Data-Centric Security
platform eliminates over reliance on third-party vendors who might have a
radically different security posture than you do. By safeguarding the data
itself, rather than focusing primarily on securing networks or devices, Seclore
ensures that your most valuable digital assets remain secure regardless of where
they end up and how they got there. With Seclore, you get better knowledge,
control, and security for your sensitive data, ensuring that third-party vendors
don’t mishandle that data and make your company headline news.
Author ProfileRelated Posts
JUSTIN ENDRES
Justin Endres serves as the Chief Revenue Officer and brings two decades’
experience as a channel and sales leader for enterprise and cybersecurity
software companies. Prior to joining Seclore, Justin held various executive
roles at prominent cybersecurity companies, including SolarWinds, AlienVault
(acquired by AT&T), and Webroot (acquired by Carbonite). He's responsible for
driving revenue growth, expanding the company’s global market presence, and
deepening relationships with the channel.
* Is Generative AI a CISO’s Worst Nightmare?
* GLBA and Data-Centric Security for Financial Services
* Tags:
* data leakage, data security, data-centric security, human error, risk
management, third-party risk
JUSTIN ENDRES
Justin Endres serves as the Chief Revenue Officer and brings two decades’
experience as a channel and sales leader for enterprise and cybersecurity
software companies. Prior to joining Seclore, Justin held various executive
roles at prominent cybersecurity companies, including SolarWinds, AlienVault
(acquired by AT&T), and Webroot (acquired by Carbonite). He's responsible for
driving revenue growth, expanding the company’s global market presence, and
deepening relationships with the channel.
RELATED POSTS
PROTECT YOUR SENSITIVE DATA BEFORE ADOPTING COPILOT FOR MICROSOFT 365
Jun 20, 2024
Adopting Copilot for Microsoft 365 may sound great in theory, but there are some
hidden security risks. While Microsoft has done a great job keeping security in
mind, data and information security teams need to be aware that Copilot
essentially has the keys to the castle — it can pull sensitive or proprietary
information from any file a user has access to. This presents a security risk
for most organizations, where it’s likely that users have overly broad access.
Read More
HUMAN ERROR + THIRD-PARTY VENDORS = TROUBLE
Jun 18, 2024
Third-party vendors (like supply chain partners) significantly increase your
threat profile. When
Read More
THE PITFALLS OF RELYING ON DATA LOSS PREVENTION ALONE
May 29, 2024
Data Loss Prevention (DLP) solutions are often the heroes of our data security
stories.
Read More
RELATED POSTS
SECURING DIGITAL ASSETS WITH DYNAMIC WATERMARKING: THE SECLORE ADVANTAGE
Securing sensitive information and preventing unauthorized distribution is a
constant challenge in the digital world. Decision-makers in large enterprises
need a robust data security technique that evolves and adapts to protect their
valuable digital assets. One innovative and increasingly popular solution is
dynamic watermarking.
BUSINESSES BEWARE: THE FIVE LEADING CAUSES OF DATA BREACHES
Data loss or data breach are two of the scariest words in modern information
security. Losing critical data can have reputational and monetary damage to
organizations of all sizes, including long-running negative press, as they work
to repair the issue that caused the breach.
IMPLEMENTING ZERO TRUST
There is now a need for a more rigorous approach towards data protection,
namely, the Zero Trust approach. Coined in 2010 by a Forrester expert, John
Kindervag, the Zero Trust approach operates on only one basic principle: Trust
No One.
5201 Great America Parkway Suite 440
Santa Clara, CA 95054
1-844-4-Seclore
1-844-473-2567
info@seclore.com
FOLLOW US
Facebook-f Linkedin Youtube
Contact Us
QUICK LINKS
Main Menu
* Platform
* Why Seclore
* Partners
* Customer Stories
* Support
Main Menu
* Resources
* Company
* Careers at Seclore – Create The Future of Data Security
* Blog
© 2024 Seclore. All rights reserved.
Privacy statement | CSR Policy
We use cookies to deliver the best possible experience on our website. To learn
more, visit our Privacy Policy. By continuing to use this site, or closing this
box, you consent to our use of cookies.
Cookie settingsACCEPT
Manage consent
Close
PRIVACY OVERVIEW
This website uses cookies to improve your experience while you navigate through
the website. Out of these, the cookies that are categorized as necessary are
stored on your browser as they are essential for the working of basic
functionalities of the website. We also use third-party cookies that help us
analyze and understand how you use this website. These cookies will be stored in
your browser only with your consent. You also have the option to opt-out of
these cookies. But opting out of some of these cookies may affect your browsing
experience.
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
These cookies ensure basic functionalities and security features of the website,
anonymously.
CookieDurationDescriptionAWSALBCORS7 daysThis cookie is managed by Amazon Web
Services and is used for load balancing.connect.sid2 hoursThis cookie is used
for authentication and for secure log-in. It registers the log-in
information.cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR
Cookie Consent plugin. The cookie is used to store the user consent for the
cookies in the category "Analytics".cookielawinfo-checbox-functional11 monthsThe
cookie is set by GDPR cookie consent to record the user consent for the cookies
in the category "Functional".cookielawinfo-checbox-others11 monthsThis cookie is
set by GDPR Cookie Consent plugin. The cookie is used to store the user consent
for the cookies in the category "Other.cookielawinfo-checkbox-advertisement1
yearSet by the GDPR Cookie Consent plugin, this cookie is used to record the
user consent for the cookies in the "Advertisement" category
.cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie
Consent plugin. The cookies is used to store the user consent for the cookies in
the category "Necessary".cookielawinfo-checkbox-performance11 monthsThis cookie
is set by GDPR Cookie Consent plugin. The cookie is used to store the user
consent for the cookies in the category "Performance".JSESSIONID6 hoursUsed by
sites written in JSP. General purpose platform session cookies that are used to
maintain users' state across page requests.viewed_cookie_policy11 monthsThe
cookie is set by the GDPR Cookie Consent plugin and is used to store whether or
not user has consented to the use of cookies. It does not store any personal
data.
Functional
Functional
Functional cookies help to perform certain functionalities like sharing the
content of the website on social media platforms, collect feedbacks, and other
third-party features.
CookieDurationDescription__cf_bm30 minutesThis cookie, set by Cloudflare, is
used to support Cloudflare Bot Management.bcookie2 yearsLinkedIn sets this
cookie from LinkedIn share buttons and ad tags to recognize browser
ID.langsessionThis cookie is used to store the language preferences of a user to
serve up content in that stored language the next time user visit the
website.lidc1 dayLinkedIn sets the lidc cookie to facilitate data center
selection.
Performance
Performance
Performance cookies are used to understand and analyze the key performance
indexes of the website which helps in delivering a better user experience for
the visitors.
CookieDurationDescriptionADRUM_BT1pastThis cookie is used to optimize the
visitor experience on the website by detecting errors on the website and share
the information to support staff.ADRUM_BTapastThis cookie is used to optimize
the visitor experience on the website by detecting errors on the website and
share the information to support staff.dtCookiesessionThis cookie is set by the
provider Dynatrace. This is a session cookie used to collect information for
Dynatrace. Its a system to track application performance and user errors.
Analytics
Analytics
Analytical cookies are used to understand how visitors interact with the
website. These cookies help provide information on metrics the number of
visitors, bounce rate, traffic source, etc.
CookieDurationDescription_ga2 yearsThe _ga cookie, installed by Google
Analytics, calculates visitor, session and campaign data and also keeps track of
site usage for the site's analytics report. The cookie stores information
anonymously and assigns a randomly generated number to recognize unique
visitors._gat_UA-60622713-11 minuteA variation of the _gat cookie set by Google
Analytics and Google Tag Manager to allow website owners to track visitor
behaviour and measure site performance. The pattern element in the name contains
the unique identity number of the account or website it relates to._gcl_au3
monthsProvided by Google Tag Manager to experiment advertisement efficiency of
websites using their services._gid1 dayInstalled by Google Analytics, _gid
cookie stores information on how visitors use a website, while also creating an
analytics report of the website's performance. Some of the data that are
collected include the number of visitors, their source, and the pages they visit
anonymously._uetsid1 dayThis cookies are used to collect analytical information
about how visitors use the website. This information is used to compile report
and improve site.CONSENT2 yearsYouTube sets this cookie via embedded
youtube-videos and registers anonymous statistical data.pardotpastThe pardot
cookie is set while the visitor is logged in as a Pardot user. The cookie
indicates an active session and is not used for tracking.
Advertisement
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and
marketing campaigns. These cookies track visitors across websites and collect
information to provide customized ads.
CookieDurationDescriptionbscookie2 yearsThis cookie is a browser ID cookie set
by Linked share Buttons and ad tags.IDE1 year 24 daysGoogle DoubleClick IDE
cookies are used to store information about how the user uses the website to
present them with relevant ads and according to the user profile.MUID1 year 24
daysBing sets this cookie to recognize unique web browsers visiting Microsoft
sites. This cookie is used for advertising, site analytics, and other
operations.test_cookie15 minutesThe test_cookie is set by doubleclick.net and is
used to determine if the user's browser supports cookies.VISITOR_INFO1_LIVE5
months 27 daysA cookie set by YouTube to measure bandwidth that determines
whether the user gets the new or old player interface.YSCsessionYSC cookie is
set by Youtube and is used to track the views of embedded videos on Youtube
pages.yt-remote-connected-devicesneverYouTube sets this cookie to store the
video preferences of the user using embedded YouTube
video.yt-remote-device-idneverYouTube sets this cookie to store the video
preferences of the user using embedded YouTube
video.yt.innertube::nextIdneverThis cookie, set by YouTube, registers a unique
ID to store data on what videos from YouTube the user has
seen.yt.innertube::requestsneverThis cookie, set by YouTube, registers a unique
ID to store data on what videos from YouTube the user has seen.
Others
Others
Other uncategorized cookies are those that are being analyzed and have not been
classified into a category as yet.
CookieDurationDescription_ce.cchsessionNo description_ce.s1 yearNo
description_uetvid1 year 24 daysNo description available.alr30 minutesNo
descriptionAnalyticsSyncHistory1 monthNo descriptionasst30 minutesNo description
available.AWSALB7 daysAWSALB is a cookie generated by the Application load
balancer in the Amazon Web Services. It works slightly different from
AWSELB.cass2 hoursNo description available.gdId10 yearsNo descriptiongdsid6
hoursNo descriptionGSESSIONID2 hoursNo description available.li_gc2 yearsNo
descriptionlpv32334130 minutesNo descriptionroute-gcrowd-fe-prodsessionNo
description available.SameSitepastNo description available.trs1 yearNo
description available.UserMatchHistory1 monthLinkedin - Used to track visitors
on multiple websites, in order to present relevant advertisement based on the
visitor's preferences.visitor_id3233411 year 9 months 10 daysNo
descriptionvisitor_id323341-hash1 year 9 months 10 daysNo descriptionvisitorId1
yearNo descriptionwidgetizedstickybar1 monthNo description available.
SAVE & ACCEPT
Powered by
Search ...
Results